gentoo auto-resync : 26:12:2023 - 01:33:45

author: V3n3RiX <venerix@koprulu.sector> 2023-12-26 01:33:45 +0000
committer: V3n3RiX <venerix@koprulu.sector> 2023-12-26 01:33:45 +0000
commit: 15bb7733ddb1f16a0e3936969282ecc42419829a (patch)
tree: 56c720cc03bec3e9758966b4083b5916feca6962 /net-vpn/tor
parent: 026061ba423025e6713112920f290759cdee03c4 (diff)
3 files changed, 507 insertions, 0 deletions
diff --git a/net-vpn/tor/Manifest b/net-vpn/tor/Manifest
index 8327fff9aa95..2e07b777ef0e 100644
--- a/net-vpn/tor/Manifest
+++ b/net-vpn/tor/Manifest
@@ -1,6 +1,7 @@
 AUX README.gentoo 316 BLAKE2B 9c962395e49a2eff8411e7fb3996d99e504b0023712151acdd6bee43755be89d52c970cbf7e5aae62c0adfb33ff7ad072578b88a40857bffb359a3d2c8571947 SHA512 6ca305c710562c0f9a3f0cba07760adf300ea166c8baa47e8872719190d779fb63d4dd6c9193fb60ddb51015138790aaa93935668423e0f861f05496d22ce660
 AUX tor-0.2.7.4-torrc.sample.patch 1341 BLAKE2B c6b398d6fd417e9029196046529109ed52c7c5dd6bd38505261116e15d1516a6e200583b480fe50b6e971d2ab4336673f9e75effa9dc8d3858c6248fbe31a69b SHA512 4a6b855734717416b6615fbd76bb75a54731767a74d3ade8c58fe52f4a42ee51c93ff8d591943343f319018e18d65b768bbe8fe936200ad829ab1e262c5e9b0f
 AUX tor-0.4.7.13-libressl.patch 7513 BLAKE2B 99bc969d24fed1c6652b572f9a9b27121a92bac67d46409b15e6a6e9f9f8d1a09851b91101461d0c8dc1d2792f5226ef33c5697009f6e65edac7297531cdd348 SHA512 72e005b0e1b2bd62321865c07080bb6f19d0144e0ec630796e75efb645c4dccf0dc200e5ad05ecc5c4522faeb3c4c0caf72cb6462aa3736c3bd0c17a38206c54
+AUX tor-0.4.7.16-arm64-sandbox.patch 11942 BLAKE2B 761ca6ee26d0e39c90fb0713fc36ecdb3ff349e40795c0124bfa4f0a72c51430e3ce65df82386a1e8b1d531460fe910629a1c702234712f1a061a8e9f93e4b20 SHA512 127755058ca29fc92a02fef820dd7c43994debc1554a4624bd4cae05e4bc3970da594ad865555d0bb2a847a151e093383ac19f83d5fa44b94588f8fb58c09a47
 AUX tor.confd 44 BLAKE2B 70df86a361c7b735283c5699e4d8d8a054a84629c749adb4dc57c196d49df4492471cb8b21dde43d668b31171ee2dfae81562a70367c72801ae60046908b022e SHA512 9028ac41e3acdf4405095addb69537e87edecafaec840296ac27a5a8992fe132dc822e4e4abb8826f76460c438da2719dea17859690d03e17198a82086a3d660
 AUX tor.initd-r9 942 BLAKE2B 1008ed981e1e7040b098f5c8c509e6a5de89e94b6fa110998c50b0521b99cb80e9b793a78de3de0e0e89d56553c32f3a6566015dd2c4fd77c812577f6f637d7a SHA512 fa3a6f52dc733d27f954299cfb32fc813ef731e1d124096450f7b53f0e4fce9f41cf48b66651d1f5383c18bdca8a87d6bbe03c65dc8a5f9a58660bb8db0040a1
 AUX tor.service 1050 BLAKE2B 7f6553b9f4b928f0c924d73ee6f9df8a99ee75ec1801f6b865a7d8e40ff30290bf836907b561586d0f429b7ddf05286ab51974d207906a0fe52cb2fbcc8e160f SHA512 786481b20d7cab9696656c5136ff74c9c2aaa73ca3d63b163a294b9b3c4b628da387cb5ec3ada81277ca81cff16ead5162f3b4d64cb0d773c22f2e4607c3194b
@@ -19,6 +20,7 @@ DIST tor-0.4.8.10.tar.gz.sha256sum 86 BLAKE2B 1410a5e7e486c7c33b6b217a53d250bc3e
 DIST tor-0.4.8.10.tar.gz.sha256sum.asc 716 BLAKE2B 0154ef1defa1a8227813ef3589f1fd4215f5bd305447fec1404f7950c0b89e6d9fcb6686900e4819d0f1a635d3b08e60cdc9c96a4f74e603185afb6eb1e29279 SHA512 aaeee664c9342a6cddaacfeea6e6974ce374d746153a28943dee1db3db48a8e08f36a076856358819cae8ea2f8b7d912d0e6dc2dc772465dba3283b553f43b91
 EBUILD tor-0.4.7.13-r1.ebuild 3754 BLAKE2B 7f74903deadf5f2e3c24328a5f047144e107dd48702bc6a411df3cf8b64072a6d717e2f02938d10b5aefa15d7ba43b0477f0ead8083e7a9b45622dea57722254 SHA512 b60da829bd21e4ae3bb44886cbe8dc598a68904808d356499c54618cc31418c5d35d120a527bb96a10025ffe761aaf9018f622acbb6ee1181dacd2fa6870ff6a
 EBUILD tor-0.4.7.14.ebuild 3913 BLAKE2B 1f2a8c13e9d82e8aaba5393570542c85e0477a769bed71e73a73379657f5425d407dee0520373959ac17ba26c02276c4363baae8ae54b0bb4fd0c1df11ae1732 SHA512 fc3e7c1f3dc339be7b0773fce16c56b92cafb437540e6f59c22f6e61268ed9522f2de9a677c49781bae3442bc741a6272643d16b10f9d6b6b9f31c6b31443fad
+EBUILD tor-0.4.7.16-r1.ebuild 3891 BLAKE2B d60319499bd332009a5baa4e603589c0e074a101c33d547d6468552a8048713074360ad032cfeb7a834481ee33bc103e8f7f9e6cbf654d59ff9fa8ecb241c0c5 SHA512 8ebb315dbb9918d6fc31a221215476d1bfbe4345cb014603685256fb94e279eead88e838d757dca745b0580c8b1bb7c97e3b3a45ed37dec8128cd22f3d46078c
 EBUILD tor-0.4.7.16.ebuild 3848 BLAKE2B 055aedeb3699510785c8584261144648af057e861257c7aa70d212cc91f98decbafb7451c27452b5fb42f7da201c783ded2dc0c9d76ebf6ac107965efe270100 SHA512 1838b05d4e023e4e09c8e5b185cec464f2c26e8fcd48d4dc5645402667dd3afddb79a7727cc457d3c4c6b40ca2b18f8b79a9e3b8aa7c434f727ab27f9c48088d
 EBUILD tor-0.4.8.10.ebuild 4301 BLAKE2B 223c26c7e8b70f06dedc56f2e90b4e37e66345c0b2886c75f11fc2b31d54e1383b4ebb9ad6cf2bf94095add9914a5c55995d96c19d51896a996c69b79a5f2795 SHA512 440ee0ce19e6203c4e4195568cd2c74ef67b00ef4ae23ca43563d3cde8426e795a4e2f22f7aa64ae7bf244b96b8583854ca4fd2dc6aa36b6be235e9ebf2a8281
 EBUILD tor-9999.ebuild 4301 BLAKE2B 223c26c7e8b70f06dedc56f2e90b4e37e66345c0b2886c75f11fc2b31d54e1383b4ebb9ad6cf2bf94095add9914a5c55995d96c19d51896a996c69b79a5f2795 SHA512 440ee0ce19e6203c4e4195568cd2c74ef67b00ef4ae23ca43563d3cde8426e795a4e2f22f7aa64ae7bf244b96b8583854ca4fd2dc6aa36b6be235e9ebf2a8281
diff --git a/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
new file mode 100644
index 000000000000..2b473bf981b6
--- /dev/null
+++ b/net-vpn/tor/files/tor-0.4.7.16-arm64-sandbox.patch
@@ -0,0 +1,337 @@
+From https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574
+Gentoo Bug: https://bugs.gentoo.org/920063
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Sat, 30 Apr 2022 11:52:59 +0200
+Subject: [PATCH 1/4] sandbox: fix openat filtering on AArch64
+
+New glibc versions not sign-extending 32 bit negative constants seems to
+not be a thing on AArch64. I suspect that this might not be the only
+architecture where the sign-extensions is happening, and the correct fix
+might be instead to use a proper 32 bit comparison for the first openat
+parameter. For now, band-aid fix this so the sandbox can work again on
+AArch64.
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -518,7 +518,12 @@ libc_uses_openat_for_opendir(void)
+ static int
+ libc_negative_constant_needs_cast(void)
+ {
++#if defined(__aarch64__) && defined(__LP64__)
++  /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
++  return 0;
++#else
+   return is_libc_at_least(2, 27);
++#endif
+ }
+ 
+ /** Allow a single file to be opened.  If <b>use_openat</b> is true,
+-- 
+GitLab
+
+
+From 8fd13f7a7bfd4efc02d888ce9d10bcb6a80a03c8 Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Sat, 30 Apr 2022 13:02:16 +0200
+Subject: [PATCH 2/4] sandbox: filter {chown,chmod,rename} via their *at
+ variant on Aarch64
+
+The chown/chmod/rename syscalls have never existed on AArch64, and libc
+implements the POSIX functions via the fchownat/fchmodat/renameat
+syscalls instead.
+
+Add new filter functions for fchownat/fchmodat/renameat, not made
+architecture specific since the syscalls exists everywhere else too.
+However, in order to limit seccomp filter space usage, we only insert
+rules for one of {chown, chown32, fchownat} depending on the
+architecture (resp. {chmod, fchmodat}, {rename, renameat}).
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -614,6 +614,32 @@ sb_chmod(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+   return 0;
+ }
+ 
++static int
++sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++  int rc;
++  sandbox_cfg_t *elem = NULL;
++
++  // for each dynamic parameter filters
++  for (elem = filter; elem != NULL; elem = elem->next) {
++    smp_param_t *param = elem->param;
++
++    if (param != NULL && param->prot == 1 && param->syscall
++        == SCMP_SYS(fchmodat)) {
++      rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
++          SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++      if (rc != 0) {
++        log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
++            "libseccomp error %d", rc);
++        return rc;
++      }
++    }
++  }
++
++  return 0;
++}
++
+ #ifdef __i386__
+ static int
+ sb_chown32(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+@@ -666,6 +692,32 @@ sb_chown(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+ }
+ #endif /* defined(__i386__) */
+ 
++static int
++sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++  int rc;
++  sandbox_cfg_t *elem = NULL;
++
++  // for each dynamic parameter filters
++  for (elem = filter; elem != NULL; elem = elem->next) {
++    smp_param_t *param = elem->param;
++
++    if (param != NULL && param->prot == 1 && param->syscall
++        == SCMP_SYS(fchownat)) {
++      rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
++          SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++          SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
++      if (rc != 0) {
++        log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
++            "libseccomp error %d", rc);
++        return rc;
++      }
++    }
++  }
++
++  return 0;
++}
++
+ /**
+  * Function responsible for setting up the rename syscall for
+  * the seccomp filter sandbox.
+@@ -697,6 +749,39 @@ sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+   return 0;
+ }
+ 
++/**
++ * Function responsible for setting up the renameat syscall for
++ * the seccomp filter sandbox.
++ */
++static int
++sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
++{
++  int rc;
++  sandbox_cfg_t *elem = NULL;
++
++  // for each dynamic parameter filters
++  for (elem = filter; elem != NULL; elem = elem->next) {
++    smp_param_t *param = elem->param;
++
++    if (param != NULL && param->prot == 1 &&
++        param->syscall == SCMP_SYS(renameat)) {
++
++      rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
++            SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++            SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
++            SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
++            SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
++      if (rc != 0) {
++        log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
++            "libseccomp error %d", rc);
++        return rc;
++      }
++    }
++  }
++
++  return 0;
++}
++
+ /**
+  * Function responsible for setting up the openat syscall for
+  * the seccomp filter sandbox.
+@@ -1317,7 +1402,9 @@ static sandbox_filter_func_t filter_func[] = {
+ #else
+     sb_chown,
+ #endif
++    sb_fchownat,
+     sb_chmod,
++    sb_fchmodat,
+     sb_open,
+     sb_openat,
+     sb_opendir,
+@@ -1325,6 +1412,7 @@ static sandbox_filter_func_t filter_func[] = {
+     sb_ptrace,
+ #endif
+     sb_rename,
++    sb_renameat,
+ #ifdef __NR_fcntl64
+     sb_fcntl64,
+ #endif
+@@ -1592,10 +1680,24 @@ new_element(int syscall, char *value)
+ 
+ #ifdef __i386__
+ #define SCMP_chown SCMP_SYS(chown32)
++#elif defined(__aarch64__) && defined(__LP64__)
++#define SCMP_chown SCMP_SYS(fchownat)
+ #else
+ #define SCMP_chown SCMP_SYS(chown)
+ #endif
+ 
++#if defined(__aarch64__) && defined(__LP64__)
++#define SCMP_chmod SCMP_SYS(fchmodat)
++#else
++#define SCMP_chmod SCMP_SYS(chmod)
++#endif
++
++#if defined(__aarch64__) && defined(__LP64__)
++#define SCMP_rename SCMP_SYS(renameat)
++#else
++#define SCMP_rename SCMP_SYS(rename)
++#endif
++
+ #ifdef __NR_stat64
+ #define SCMP_stat SCMP_SYS(stat64)
+ #else
+@@ -1633,7 +1735,7 @@ sandbox_cfg_allow_chmod_filename(sandbox_cfg_t **cfg, char *file)
+ {
+   sandbox_cfg_t *elem = NULL;
+ 
+-  elem = new_element(SCMP_SYS(chmod), file);
++  elem = new_element(SCMP_chmod, file);
+ 
+   elem->next = *cfg;
+   *cfg = elem;
+@@ -1659,7 +1761,7 @@ sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2)
+ {
+   sandbox_cfg_t *elem = NULL;
+ 
+-  elem = new_element2(SCMP_SYS(rename), file1, file2);
++  elem = new_element2(SCMP_rename, file1, file2);
+ 
+   elem->next = *cfg;
+   *cfg = elem;
+-- 
+GitLab
+
+
+From eb0749d64917fee6ff74c3810dbec8cd063f546c Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Wed, 4 May 2022 07:19:40 +0200
+Subject: [PATCH 3/4] sandbox: replace SCMP_CMP_NEG with masked equality checks
+
+For some syscalls the kernel ABI uses 32 bit signed integers. Whether
+these 32 bit integer values are sign extended or zero extended to the
+native 64 bit register sizes is undefined and dependent on the {arch,
+compiler, libc} being used. Instead of trying to detect which cases
+zero-extend and which cases sign-extend, this commit uses a masked
+equality check on the lower 32 bits of the value.
+--- a/src/lib/sandbox/sandbox.c
++++ b/src/lib/sandbox/sandbox.c
+@@ -141,10 +141,12 @@ static sandbox_cfg_t *filter_dynamic = NULL;
+  * the high bits of the value might get masked out improperly. */
+ #define SCMP_CMP_MASKED(a,b,c) \
+   SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
+-/* For negative constants, the rule to add depends on the glibc version. */
+-#define SCMP_CMP_NEG(a,op,b) (libc_negative_constant_needs_cast() ? \
+-                              (SCMP_CMP((a), (op), (unsigned int)(b))) : \
+-                              (SCMP_CMP_STR((a), (op), (b))))
++/* Negative constants aren't consistently sign extended or zero extended.
++ * Different compilers, libc, and architectures behave differently. For cases
++ * where the kernel ABI uses a 32 bit integer, this macro can be used to
++ * mask-compare only the lower 32 bits of the value. */
++#define SCMP_CMP_LOWER32_EQ(a,b) \
++  SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, 0xFFFFFFFF, (unsigned int)(b))
+ 
+ /** Variable used for storing all syscall numbers that will be allowed with the
+  * stage 1 general Tor sandbox.
+@@ -513,19 +515,6 @@ libc_uses_openat_for_opendir(void)
+          (is_libc_at_least(2, 15) && !is_libc_at_least(2, 22));
+ }
+ 
+-/* Return true if we think we're running with a libc that needs to cast
+- * negative arguments like AT_FDCWD for seccomp rules. */
+-static int
+-libc_negative_constant_needs_cast(void)
+-{
+-#if defined(__aarch64__) && defined(__LP64__)
+-  /* Existing glibc versions always sign-extend to 64 bits on AArch64. */
+-  return 0;
+-#else
+-  return is_libc_at_least(2, 27);
+-#endif
+-}
+-
+ /** Allow a single file to be opened.  If <b>use_openat</b> is true,
+  * we're using a libc that remaps all the opens into openats. */
+ static int
+@@ -533,7 +522,7 @@ allow_file_open(scmp_filter_ctx ctx, int use_openat, const char *file)
+ {
+   if (use_openat) {
+     return seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
+-                              SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++                              SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+                               SCMP_CMP_STR(1, SCMP_CMP_EQ, file));
+   } else {
+     return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
+@@ -627,7 +616,7 @@ sb_fchmodat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+     if (param != NULL && param->prot == 1 && param->syscall
+         == SCMP_SYS(fchmodat)) {
+       rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchmodat),
+-          SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++          SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+           SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+       if (rc != 0) {
+         log_err(LD_BUG,"(Sandbox) failed to add fchmodat syscall, received "
+@@ -705,7 +694,7 @@ sb_fchownat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+     if (param != NULL && param->prot == 1 && param->syscall
+         == SCMP_SYS(fchownat)) {
+       rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fchownat),
+-          SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++          SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+           SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value));
+       if (rc != 0) {
+         log_err(LD_BUG,"(Sandbox) failed to add fchownat syscall, received "
+@@ -767,9 +756,9 @@ sb_renameat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+         param->syscall == SCMP_SYS(renameat)) {
+ 
+       rc = seccomp_rule_add_4(ctx, SCMP_ACT_ALLOW, SCMP_SYS(renameat),
+-            SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++            SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+             SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
+-            SCMP_CMP_NEG(2, SCMP_CMP_EQ, AT_FDCWD),
++            SCMP_CMP_LOWER32_EQ(2, AT_FDCWD),
+             SCMP_CMP_STR(3, SCMP_CMP_EQ, param->value2));
+       if (rc != 0) {
+         log_err(LD_BUG,"(Sandbox) failed to add renameat syscall, received "
+@@ -799,7 +788,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
+     if (param != NULL && param->prot == 1 && param->syscall
+         == SCMP_SYS(openat)) {
+       rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
+-          SCMP_CMP_NEG(0, SCMP_CMP_EQ, AT_FDCWD),
++          SCMP_CMP_LOWER32_EQ(0, AT_FDCWD),
+           SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
+           SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
+               O_CLOEXEC));
+-- 
+GitLab
+
+
+From 42034ae9da2866c67ce8cb8522d6a619d8b21170 Mon Sep 17 00:00:00 2001
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Wed, 4 May 2022 07:31:06 +0200
+Subject: [PATCH 4/4] changes: add entry for MR !574
+
+--- /dev/null
++++ b/changes/aarch64_sandbox
+@@ -0,0 +1,5 @@
++  o Minor bugfixes (sandbox):
++    - Fix sandbox support on AArch64 systems. More "*at" variants of syscalls
++      are now supported. Signed 32 bit syscall parameters are checked more
++      precisely, which should lead to lower likelihood of breakages with future
++      compiler and libc releases. Fixes bug 40599; bugfix on 0.4.4.3-alpha.
+-- 
+GitLab
+
diff --git a/net-vpn/tor/tor-0.4.7.16-r1.ebuild b/net-vpn/tor/tor-0.4.7.16-r1.ebuild
new file mode 100644
index 000000000000..1c40fca5fb09
--- /dev/null
+++ b/net-vpn/tor/tor-0.4.7.16-r1.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/torproject.org.asc
+inherit edo python-any-r1 readme.gentoo-r1 systemd verify-sig
+
+MY_PV="$(ver_rs 4 -)"
+MY_PF="${PN}-${MY_PV}"
+DESCRIPTION="Anonymizing overlay network for TCP"
+HOMEPAGE="https://www.torproject.org/ https://gitlab.torproject.org/tpo/core/tor/"
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://gitlab.torproject.org/tpo/core/tor"
+	inherit autotools git-r3
+else
+	SRC_URI="
+		https://www.torproject.org/dist/${MY_PF}.tar.gz
+		https://archive.torproject.org/tor-package-archive/${MY_PF}.tar.gz
+		verify-sig? (
+			https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum
+			https://dist.torproject.org/${MY_PF}.tar.gz.sha256sum.asc
+		)
+	"
+
+	S="${WORKDIR}/${MY_PF}"
+
+	if [[ ${PV} != *_alpha* && ${PV} != *_beta* && ${PV} != *_rc* ]]; then
+		KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86 ~ppc-macos"
+	fi
+
+	BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-tor-20230727 )"
+fi
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+IUSE="caps doc lzma +man scrypt seccomp selinux +server systemd tor-hardening test zstd"
+RESTRICT="!test? ( test )"
+
+DEPEND="
+	>=dev-libs/libevent-2.1.12-r1:=[ssl]
+	dev-libs/openssl:=[-bindist(-)]
+	sys-libs/zlib
+	caps? ( sys-libs/libcap )
+	man? ( app-text/asciidoc )
+	lzma? ( app-arch/xz-utils )
+	scrypt? ( app-crypt/libscrypt )
+	seccomp? ( >=sys-libs/libseccomp-2.4.1 )
+	systemd? ( sys-apps/systemd:= )
+	zstd? ( app-arch/zstd:= )
+"
+RDEPEND="
+	acct-user/tor
+	acct-group/tor
+	${DEPEND}
+	selinux? ( sec-policy/selinux-tor )
+"
+DEPEND+="
+	test? (
+		${DEPEND}
+		${PYTHON_DEPS}
+	)
+"
+
+DOCS=()
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.2.7.4-torrc.sample.patch
+	"${FILESDIR}"/${P}-arm64-sandbox.patch
+)
+
+pkg_setup() {
+	use test && python-any-r1_pkg_setup
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999 ]] ; then
+		git-r3_src_unpack
+	else
+		if use verify-sig; then
+			cd "${DISTDIR}" || die
+			verify-sig_verify_detached ${MY_PF}.tar.gz.sha256sum{,.asc}
+			verify-sig_verify_unsigned_checksums \
+				${MY_PF}.tar.gz.sha256sum sha256 ${MY_PF}.tar.gz
+			cd "${WORKDIR}" || die
+		fi
+
+		default
+	fi
+}
+
+src_prepare() {
+	default
+
+	# Running shellcheck automagically isn't useful for ebuild testing.
+	echo "exit 0" > scripts/maint/checkShellScripts.sh || die
+
+	if [[ ${PV} == 9999 ]] ; then
+		eautoreconf
+	fi
+}
+
+src_configure() {
+	use doc && DOCS+=( README.md ChangeLog ReleaseNotes doc/HACKING )
+
+	export ac_cv_lib_cap_cap_init=$(usex caps)
+	export tor_cv_PYTHON="${EPYTHON}"
+
+	local myeconfargs=(
+		--localstatedir="${EPREFIX}/var"
+		--disable-all-bugs-are-fatal
+		--enable-system-torrc
+		--disable-android
+		--disable-coverage
+		--disable-html-manual
+		--disable-libfuzzer
+		--enable-missing-doc-warnings
+		--disable-module-dirauth
+		--enable-pic
+		--disable-restart-debugging
+
+		$(use_enable man asciidoc)
+		$(use_enable man manpage)
+		$(use_enable lzma)
+		$(use_enable scrypt libscrypt)
+		$(use_enable seccomp)
+		$(use_enable server module-relay)
+		$(use_enable systemd)
+		$(use_enable tor-hardening gcc-hardening)
+		$(use_enable tor-hardening linker-hardening)
+		$(use_enable test unittests)
+		$(use_enable zstd)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_test() {
+	local skip_tests=(
+		# Fails in sandbox
+		:sandbox/open_filename
+		:sandbox/openat_filename
+	)
+
+	# The makefile runs these by parallel by chunking them with a script
+	# but that means we lose verbosity and can't skip individual tests easily
+	# either.
+	edo ./src/test/test --verbose "${skip_tests[@]}"
+}
+
+src_install() {
+	default
+	readme.gentoo_create_doc
+
+	newconfd "${FILESDIR}"/tor.confd tor
+	newinitd "${FILESDIR}"/tor.initd-r9 tor
+	systemd_dounit "${FILESDIR}"/tor.service
+
+	keepdir /var/lib/tor
+
+	fperms 750 /var/lib/tor
+	fowners tor:tor /var/lib/tor
+
+	insinto /etc/tor/
+	newins "${FILESDIR}"/torrc-r2 torrc
+}
author	V3n3RiX <venerix@koprulu.sector>	2023-12-26 01:33:45 +0000
committer	V3n3RiX <venerix@koprulu.sector>	2023-12-26 01:33:45 +0000
commit	15bb7733ddb1f16a0e3936969282ecc42419829a (patch)
tree	56c720cc03bec3e9758966b4083b5916feca6962 /net-vpn/tor
parent	026061ba423025e6713112920f290759cdee03c4 (diff)